On Wed, 24 Jul 2013 13:44:11 -0400, Greg Freemyer wrote:
Salting is not a new technique either.
True, but it might also have been less common for performance reasons. Older hardware, slower performance - you know the story. :) Or as well, that salting was perceived to provide little additional value because hardware was so slow, and if you were doing 200 passwords a minute, you were doing *really* well. Now with GPU-based cracking systems, you can do millions of password tests an hour without breaking a sweat, so increasing the complexity of the algorithm and introducing that salt value becomes much more significant a barrier. It's always been about risk vs. performance. Slower systems = lower risk, and performance optimizations meant that eeking every last bit of performance out of an algorithm was important to overall system performance. Now that's not such a big deal. My smart phone has more processing power than my PC did 15 years ago.
And XP may be old, but it also relatively common to be somewhere in a Windows network. You know, the one PC that has to run XP because the specialized app it runs doesn't support Win7, so a policy exception was granted for it. Or maybe it's embedded in a printer, but is joined to the domain for support purposes.
Even Windows 2000 servers are common in larger Windows shops. Often sitting out in a test network or other area of disregarded servers.
I don't believe with either of them (XP/2000) Microsoft supports a authentication system that is not easily attacked by rainbow table based attacks.
If a network of 5,000 windows boxes has a few old XP / Windows 2000 machines on it, bad guys will target those boxes for exploitation.
That grab the SAM file, then crack any local admin accounts and any locally cached domain accounts (via rainbow tables) then use those new credentials to move around the network. Cracked domain accounts are gret on their face and most orgs use the same local admin password on numerous machines, so a cracked local admin login/password off of a XP / Win2000 box may give you local admin access to systems with more sophisticated security.
Sure, but that's neither here nor there when it comes to talking about how our forum authentication mechanism provides us greater protection than what the Ubuntu forums is. We're not really talking about the exploit ability of operating systems that were created over a decade ago, but rather how cryptographic techniques that are more common in newer implementations provide additional protection. :) Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org